About the Windows Firewall – FAQs

Firewalls provide a barrier between your computer and the network to prevent unwanted traffic. The use of hardware firewalls to protect an office from unwanted traffic is considered essential, but current best practice also suggests the addition of a client based firewall on all systems. While the hardware firewall does protect systems against traffic that flows across the the WAN, the client based firewall offers an additional layer of protection against traffic that may have entered the internal network through other means. If for example some virus was introduced into an office through a laptop system or other removable media, this would now be active behind the hardware firewall and able to move around from client to client. While there are third party options available for client firewall protection, the internal Windows firewall allows for granular control and GPO management.

The Windows firewall is broken down into three profiles that are called Domain, Private, and Public. Each of these profiles have their own settings and are activated based on the sort of network the system is connected to. The Domain profile is used when the system is connected to the GS Domain within USGS (for all systems joined to the domain). The Private profile is used when a system is connected to a home network or when a system is part of a workgroup. The Public profile is used when a computer is connected to a network in a public area. The system determines if a network is Private or Public by prompting the user. This information is then stored on the computer and the system uses that profile for all future connections to that network. If a system is connected to more than one network at a time, for example connected to a home wireless network and also using an eRAS VPN connection, Windows uses a feature called multiple access firewall profiles (MAFP) to use the appropriate profile for each portion of the connection.

The Windows firewall allows all outgoing traffic and also allows all incoming traffic that was solicited. This means that if a request comes from the client to a site or server, the response is allowed through the firewall since the request was solicited. The Windows firewall, by default, blocks all unsolicited incoming traffic that is not allowed through the firewall rules. This means that traffic that is incoming to the client may be blocked if it was not requested or if there is not an rule in place to allow that specific traffic to the client(s).

The requirement of NIST and DOI is that the firewall is on at all times, merging is turned off, and the rules are managed. The only way to manage the rules of Windows with merging turned off is through a GPO firewall policy.

Having a GPO firewall policy creates a firewall standard on all USGS Client systems. This also allows all variations and deviations to the standard firewall policy to be tracked due to the fact that adjustment to firewall rules must also be done with GPO.

Great effort was put forth to assure that USGS Firewall policy is secure and has a minimum impact to the mission of USGS.

It is possible for Firewall rules to be controlled at the GPO and at the Client levels. If the merging setting is on, this means that the resultant firewall rule set can be a combination of the rules that are defined at the GPO level and the individual rules that can be allowed on each client. It is required from NIST and DOI that merging is “off” for all three profiles of the Windows firewall. The reason merging is off is so that firewall rules are controlled and managed centrally. If merging is turned on then there is no way of knowing what rules are set on each client in the Department. When merging is off, then even though it might seem that firewall setting are being set at the client level, the GPO firewall setting are the only rules that are actually applying.

Open a cmd window, choosing to Run as Administrator. In the cmd window launch wf.msc, which is the Windows Firewall and Advanced Security tool. The inbound rules will be listed as items with green check boxes to indicate that inbound rules are allowed, but this list can be confusing. While the list may include items the local client has automatically added for all the software packages installed on the machine, the only rules that are actually enforced on the machine are those set by the GPO. In the screen shot below, although the windows client has added inbound rules for Adobe and afs products, these are not part of the GPO firewall rule set where the BWTST Custom rules for Ultrabac are applied with GPO.

USGS consulted with Microsoft when creating the GPO Firewall rules and it was determined that software rules were not necessary at the GPO level. BWTST has tested and found only a few exceptions to this.

As stated in the previous section, as software is installed and launched, the Windows client will add rules to the local firewall policy to “allow” or “deny” the software. This will happen the first time a software package is launched. If a software package uses multiple features it is possible for the pop up to appear multiple times for a software package.

An example of this is that when you launch Lotus Notes or the NX (a product used to securely connect to Unix) Security Alert Boxes will appear stating that the software is being blocked.

The pop ups indicate that the software is being blocked and rules are in turn added to the client inbound firewall rule set, but because merging is set to off, none of the client rules are actually enforced. Having software cause a pop up message on the client and seeing inbound or outbound rules on the client machine does not accurately reflect the rules that applied to the system. Only unsolicited inbound traffic that is not allowed with the GPO firewall rule set is blocked.

A list of firewall setting that have been incorporated into the final USGS FDCC STIG for Windows GPO.

When a GPO with Firewall rules is applied to clients with the merging setting set to no, as is the case with the STIG, local firewall policy settings are not used.

The only way to adjust the GPO firewall settings to a client(s) is to create and link an additional GPO firewall rule set to the OU structure. These GPO rule sets will merge to create a resultant set of policies.

Open a cmd window, choosing to Run as Administrator. In the cmd window launch wf.msc, which is the Windows Firewall and Advanced Security tool.

In the left panel click Monitoring. In the right panel under the Logging Settings grouping will be a hyperlink to the right of the file name variable.

Click on this link to launch the firewall log file for this client.

The log file will consist of rows of traffic information. These rows indicate both incoming and outgoing traffic. If the packets have a send or receive status then they have been successful. If the row ends in dropped then that indicated an undelivered packet. When troubleshooting a potential firewall issue, replicate the issue and check the log files that are associated with that activity. If there is a row with a denied packet, then the firewall log is blocking that traffic.

Important information can be gathered from the following columns:

• date – the date the packet was transferred or attempted to transfer
  • Use the date when troubleshooting an issue. Find the data associated with the issue.
• time – the time the packet was transferred or attempted to transfer
  • Use the time when troubleshooting an issue. Find the time associated with the issue.
• action – the behavior of the packet whether allow, deny, or drop
  • Determine if the behavior of that packet was meant to be allowed or denied based on the firewall rule set by the GPO firewall rule set in the STIG in combination with local GPO firewall rules. If the packet is Dropped, then this indicates the transmission was interrupted or a firewall rule maybe preventing the transmission.
• protocol – the protocol that the packet is being transferred over
  • Determine the protocol that is being communicated at the time of the issue.
• src-ip – the source IP address
  • Determine the source IP of the packet communication.
• dst-ip – the destination IP address
  • Determine the destination IP of the packet communication
• src-port – the source port number that the packet is being transferred over
  • Determine the source port over which the packet is being transferred.
• dst-port – the destination port number that the packet is being transferred over
  • Determine the destination port over which the packet is being delivered.
• size – the size of the packet that is transferred
  • Determine the size of the packet being transferred
• path – the conclusion of the packet transfer, either SEND RECIEVE
  • If the status is SEND this refers to outbound transmissions which are all opened by default. If the status is Receive this refers to inbound traffic which is only allowed based on solicited requests or GPO firewall rules.

If lines are found that say “Drop” and “Receive”, and these time and date stamps correlate to the potential firewall issue, then record the source IP address, Protocol, and port to help define needed firewall rules.

Please remember that only unsolicited incoming traffic that is not allowed in the GPO firewall rules is blocked. All outgoing traffic and solicited incoming traffic that is a response to an outgoing request is not blocked.

Information on known issues that require additional firewall rules can be found at __________. If an issue is encountered that is not on this known issues list, please contact GS HELP WINDOWS.